Allow Authentication via Http Header

[MichaelCkr]

Do you want to request a feature or report a bug?

Feature

What is the current behavior?

Authentication for downloading npm and node (goal install-node-and-npm) is only possible via username and password. In a CI pipeline one may usually use a token, which needs a authentication via an http header.

See coding in com.github.eirslett.maven.plugins.frontend.lib.DefaultFileDownloader#execute.

What is the expected behavior?

I'd like to use kind of following server configuration in my maven settings

<server>
   <id>gitlab</id>
   <configuration>
      <httpHeaders>
         <property>
            <name>Job-Token</name>
            <value>${env.CI_JOB_TOKEN}</value>
         </property>
      </httpHeaders>
   </configuration>
</server>

with the server id configured in the plugin configuration.

E.g. gitlab added the opportunity to use the CI_JOB_TOKEN for authentication with an http header, see issue 30650 here. Using a token like this, allow to drop any configured token, because it is created for every pipeline individually. Using a job token with a username und password authentication unfortunately is not possible.

Please mention your frontend-maven-plugin and operating system version.

• frontend-maven-plugin in version 1.12.1
• OS: Debian GNU/Linux 10 (buster)

[aixigo-soffermann]

Are there any plans on fixing this?

[eirslett]

It looks like this isn't supported by Maven:
https://maven.apache.org/settings.html#servers

According to the documentation, it seems like Maven only supports basic authentication or SSH keys.
I'm very reluctant to add custom authentication mechanisms that are not part of Maven officially. Is it possible to send the CI token as <password> instead in maven, instead of as a header?
I mean, you're already using the same Maven artifactory for downloading your jar dependencies, so it should be working already, right?

[liefke]

@eirslett: Thank you for taking your time to look into this.

This is indeed supported by Maven, the configuration section is left empty in your documentation page, but there is another one: https://maven.apache.org/guides/mini/guide-http-settings.html#http-headers

So the example <server> section from above is working for other dependency downloads in Maven, for example when running against Artifactory as repository server (which would not accept the token as HTTP-Auth password).

I had a small bug in my pull request from yesterday, but with the latest commit the HTTP-Header authentication is working as expected.

[liefke]

I just recognized that my documentation link from above is outdated since Maven 3.9.0, but the following page is telling the same about HTTP headers: https://maven.apache.org/guides/mini/guide-resolver-transport.html#custom-http-headers